使用CSRF保护测试Scala Play(2.2.1)控制器 [英] Testing scala Play (2.2.1) controllers with CSRF protection
问题描述
我在测试使用Play的CSRF保护的控制器时遇到了一些问题.为了证明这一点,我创建了一个非常简单的Play应用程序,以最小程度地显示该问题.
I've been having some problems testing controllers that use Play's CSRF protection. To demonstrate this, I've created a very simple Play application that minimally exhibits the problem.
https://github.com/adamnfish/csrftest
有关该存储库的自述文件的完整详细信息,请在此处进行总结:
The full details are on the README of that repository, but to summarise here:
考虑设计用于处理表单提交的控制器.它具有使用CSRFAddToken的GET方法和使用CSRFCheck的POST方法.前者将CSRF令牌添加到请求中,以便可以将包含有效令牌的表单字段放入呈现的视图中.提交该表单后,如果CSRF检查通过且提交有效,则将发生其他事情(通常是重定向).如果表单提交无效,则会重新显示表单提交以及任何错误,以便用户可以更正表单并再次提交.
Consider a controller that is designed to handle a form submission. It has a GET method that uses CSRFAddToken and a POST method that uses CSRFCheck. The former adds a CSRF Token to the request so that a form field can be put in the rendered view, containing the valid token. When that form is submitted, if the CSRF check passes and the submission is valid, something else will happen (typically a redirect). If the form submission is not valid, the form submission is re-shown along with any errors so the user can correct the form and submit again.
这很棒!
但是,在测试中,我们现在遇到了一些问题.要测试控制器,您可以在测试中将虚假请求传递给它.通过将nocheck标头添加到伪造的请求中,可以跳过CSRF检查本身,但是由于没有可用于生成表单字段的令牌,因此无法呈现视图.测试失败,并带有RuntimeException,缺少CSRF令牌(csrf.scala:51)".
However, in the tests we now have some problems. To test the controller you can pass a fake request to it in the test. The CSRF check itself can be skipped by adding the nocheck header to the fake request but the view cannot be rendered because no token available to generate the form field. The test fails with a RuntimeException, "Missing CSRF Token (csrf.scala:51)".
鉴于它可以在实际运行时运行,但不能在测试中运行,看来这在FakeRequests在Play测试中的运行方式一定是有问题的,但我可能做错了.我已经按照 http://www.playframework.com/documentation中的说明实施了CSRF保护. /2.2.1/ScalaCsrf 和 http://www中所述的测试.playframework.com/documentation/2.2.1/ScalaFunctionalTest .如果有人设法测试受CSRF保护的表单,我将不胜感激.
Given that it works when it's actually running but not in the tests, it seems like this must be a problem with the way FakeRequests are run in Play tests but I may be doing something wrong. I've implemented the CSRF protection as described at http://www.playframework.com/documentation/2.2.1/ScalaCsrf and the testing as described at http://www.playframework.com/documentation/2.2.1/ScalaFunctionalTest. I'd appreciate any pointers if anyone has managed to test CSRF protected forms.
推荐答案
一种解决方案是使用浏览器(例如Fluentlenium)进行测试,因为它将管理cookie等,因此CSRF保护应该都可以正常工作.
One solution is to test using a browser, eg Fluentlenium, as this will manage cookies etc, so the CSRF protection should all just work.
另一种解决方案是将会话添加到FakeRequest中,使其包含令牌,例如:
The other solution is to add a session to the FakeRequest so that it contains a token, eg:
FakeRequest().withSession("csrfToken" -> CSRF.SignedTokenProvider.generateToken)
很显然,如果您经常这样做,可以创建一个帮助方法来帮助您.
Obviously if you're doing that a lot, you can create a help method to do that for you.
这篇关于使用CSRF保护测试Scala Play(2.2.1)控制器的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
